In 2022-23, the manufacturing, retail trade and professional, scientific and technical services sector accounted for over 40% of ransomware-related cyber security incidents in Australia1.
Unlike the majority of supply chain disruptions, cyber-based threats like ransomware can cause sudden and systemic impacts to organisations or the wider ecosystem. They can be prolonged – beyond what is contemplated in most business continuity plans. These characteristics set them apart from traditional disruptions such as labour and raw material shortages, or power outages.
Once a cyber event occurs, organisations can be left paralysed without the ability to resume core operations. In some significant events we’ve encountered, core systems have been offline for more than a month. This outcome is engineered by design, increasing the attacker’s leverage to force a ransom payment.
In this tightly woven global system of producers, distributers and consumers, supply chain leaders face the challenge of ensuring their supply chain operations are resilient against such attacks. Digital technologies are already helping our supply chains become more transparent, efficient and agile, and will be core to future initiatives to improve industrial productivity. Yet as we grow our digital capabilities across ERP Solutions, advanced planning, customer and supplier integration and shopfloor automation using Cloud services and SaaS platforms, we also increase our systemic reliance on specific platforms, vendors or service providers. Moreover, it is not just the hosted services, but also the underlying infrastructure, integration and desktop solutions, which may contribute to an organisation’s overall cyber risk posture.
Whilst we have outsourced some of these services, we cannot absolve ourselves from the risk management of them, given their potential to cause a supply chain to stop. Therefore, the question for boards and executives is to ask whether the risk is truly understood and being managed holistically.
This blog explores the cyber risks for physical supply chains, common mistakes in mitigation approaches and where to begin on developing your resilience.
Case Study 1: The 2017 ‘NotPetya’ incident saw global supply networks halted due to a cyberattack on a shipping/logistics giant. Causing more than $10 billion across a global network of logistics, FMCG, suppliers and customers.2
To understand the key risks to our operations we need to understand:
Third Party Risk and its impact on operations:
Our dependence on third-party software vendors, suppliers and service providers can introduce additional points of failure (or attack paths) in the network. This typically comes in a couple of forms:
Each of these three risk scenarios illustrate the need for a robust understanding of critical third parties, and where appropriate additional assessment, assurance or secondary mitigation (e.g. alternative supplier) to reduce this risk to within appetite.
Figure 1. Complexity of Third Party Relationships3
Another area of emerging concern is the systemic and fast-moving nature of cyber-attacks, which has been demonstrated when multiple organisations have been impacted by the same attack group or the same software vulnerability. Partly explaining why some insurers are seeking to limit exposure to cyber-related risks and should feed into leadership thinking around whether an organisation has genuine resilience.
The convergence of IT and OT and what it means for cybersecurity:
In some sectors there is progressive convergence of IT and OT/ICS (operational technology/industrial control systems), and consumer-style IoT (Internet of things) sensors. This trend is sometimes diluting the hard separation between these domains and introducing new entry points for infiltrating the supply chain network and the ability to control critical physical assets. Ultimately more complexity makes this a harder risk to model.
However, as more software applications continue to be integrated into our most critical operational assets and physical systems, the potential ramifications exceed data and information breaches, and expand into potential misuse of physical assets leading to damage to property or harm to lives. Moreover, the security for IT applications differs to the security needed for OT systems, where making changes (e.g. applying security patches) can cause unintended consequences.4
Figure 2: Organisations experience the impacts and consequences of catastrophic cyber incidents in multiple areas5
The questions we need to be asking:
Given the complex nature of supply-chains and the high reliance on technology and automation, it’s usually not economically viable for an organisation to have a stance of zero risk tolerance, or to try and understand every rabbit-hole.
In our experience of assisting organisations, it’s critical to form a pragmatic and balanced view of the risk. Some key questions to ask in this process are:
We need to ensure that the right assessments are conducted and thoroughly address the critical risks our supply chain may be exposed to.
It is not uncommon for us to underestimate the risk of an attack on our supply chain assets. Whether we believe we are protected by the multitude of third-party vendors, or that our security practices are robust. However, if companies wait until after an attack to prepare their response strategies, cost to the business can be significant. Including loss of software and hardware, revenue from disrupted operations, customer trust and reputation and regulatory fines.
Without the appropriate risk assessment and management procedures, organisations may be left without an ability to resume operations, rippling their issues to trading partners and consumers.
Case Study 2: Deloitte has worked with a large consumer goods producer in planning their compromised state. Understanding what it would take to operate in the absence of core functions and master data, and what are the critical enablers in the manufacturing process and what service compromises could be made to execute operations efficiently and effectively.
Overestimating the cost of a good mitigation strategy
Organisations may be initially deterred from embarking upon a comprehensive cybersecurity program including mitigation strategies, due to investment requirements. However efficient programs consider both the necessary strategies/controls, in line with the relevant investment parameters and the likelihood of an attack. Weighing the critical points of an organisations cyber posture, with what can be implemented in place of the impacted system.
Thinking of security as something we can buy
Business leaders tend to think of security as something we can buy with additional tools and features, rather than as a process. The development of response strategies require active participation in comprehensive cyber risk assessments to identify critical risks across the technology stack, collaboration with supply chain partners to develop response plans, training of key stakeholders and continuous monitoring of the organisations technological landscape.
Security is therefore something we practice, not something we reach as a destination.
With the right insight into our risk profile, a comprehensive cyber resilience program can be built to ensure that organisations implement proactive measures and bolster their defences.
Our ability to withstand cyber incidents relies on building a response playbook that identifies the networks critical paths, curates a compromised mode of operation, and efficiently communicates these plans across our network:
The development of a Compromised Mode is key to an agile and resilient network. We encourage you to ask: By creating comprehensive regeneration strategies, how much more resilient could my supply chain be?
Deloitte’s Supply Chain & Procurement and Cyber professionals provide comprehensive support in developing cyber-resilience programmes for government and private enterprise by utilising best practice frameworks, applied expertise and cyber assets. To begin your resilience journey, please contact us.
1. ‘’ASD Cyber Threat Report 2022-2023’’, Australian Government, November 2023, (ASD Cyber Threat Report 2022-2023 | Cyber.gov.au).
2. ‘’The Untold Story of NotPetya, the Most Devastating Cyberattack in History.’’ Wired, August 2018, (The Untold Story of NotPetya, the Most Devastating Cyberattack in History | WIRED).
3. ’Third Party Governance & Risk Management, Turning Risk into opportunity’’. Deloitte, 2015
4. ‘’Is moving operational Technology to the cloud a good idea?’’, Security Roundtable, (Is Moving Operational Technology to the Cloud a Good Idea? (securityroundtable.org)).
5. ‘’Digital Resilience and Enterprise Recovery: Would your business survive a catastrophic cyber attack?’’, Deloitte, 2023, (deloitte-uk-digital-resilience-and-enterprise-recovery-whitepaper.pdf).
6. ‘’The Five ICS Cybersecurity critical controls.’’, SANS, November 2022, (The Five ICS Cybersecurity Critical Controls (sans.org)).
7. ‘’Infrastructure with Impact. Enhancing Critical Infrastructure resilience in New Zealand.’’ PP. 60-61., Deloitte, (Deloitte’s Global Infrastructure Magazine | Edition #2).
8. ‘’Guidance for the Critical Infrastructure Risk Management Program’’, Cyber and Infrastructure Security Centre, Australian Government, February 2023, (Guidance for the Critical Infrastructure Risk Management Program (cisc.gov.au)).